|
被感染文件尾部被加入一个名为.ani的节。被感染文件运行后会释放一个名为ani.ani的临时文件并运行,该文件即为病毒主体logogogo.exe
6.连接网络下载木马
读取http://dow.*.us/xxx.txt的下载列表
然后下载
http://dow.*.com/1.exe~http://dow.*.com/20.exe到%systemroot%\system下面
并以SYSTEM128.tmp作为下载文件过程中的临时文件
7.病毒同时会获得当前机器名,操作系统版本,MAC地址等信息
8.病毒体内留有作者留下的广告信息:“出售下载者 QQ 2892*”
病毒木马植入完毕后的sreng日志如下:
启动项目
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<logogogo><%systemroot%\system\logogogo.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><kvdxsima.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{8E32FA58-3453-FA2D-BC49-F340348ACCE8}><%systemroot%\system32\rsmyhpm.dll> []
<{A2AC7E3B-30BE-466f-8BAB-1FF9DADD8C7D}><%systemroot%\system32\KVBatch01.dll> []
<{5A321487-4977-D98A-C8D5-6488257545A5}><%systemroot%\system32\kapjezy.dll> []
<{5A1247C1-53DA-FF43-ABD3-345F323A48D5}><%systemroot%\system32\avwgemn.dll> []
<{6859245F-345D-BC13-AC4F-145D47DA34F6}><%systemroot%\system32\avzxfmn.dll> []
<{4960356A-458E-DE24-BD50-268F589A56A4}><%systemroot%\system32\avwldmn.dll> []
<{5598FF45-DA60-F48A-BC43-10AC47853D55}><%systemroot%\system32\rarjepi.dll> []
<{A6650011-3344-6688-4899-345FABCD156A}><%systemroot%\system32\ratbjpi.dll> []
<{38907901-1416-3389-9981-372178569983}><%systemroot%\system32\kawdczy.dll> []
<{9D561258-45F3-A451-F908-A258458226D9}><%systemroot%\system32\kvdxsima.dll> []
<{44783410-4F90-34A0-7820-3230ACD05F44}><%systemroot%\system32\raqjdpi.dll> []
<{97D81718-1314-5200-2597-587901018079}><%systemroot%\system32\kaqhizy.dll> []
<{38847374-8323-FADC-B443-4732ABCD3783}><%systemroot%\system32\sidjczy.dll> []
<{8D47B341-43DF-4563-753F-345FFA3157D8}><%systemroot%\system32\kvmxhma.dll> []
<{24909874-8982-F344-A322-7898787FA742}><%systemroot%\system32\swjqbzc.dll> []
<{A12C8D43-AC10-4C17-9136-E3E2FC9B3D21}><%Program Files%\Internet Explorer\PLUGINS\Wn_Sys8x.Sys> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
<IFEO[360rpt.exe]><%systemroot%\system\logogogo.exe> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
<IFEO[360Safe.exe]><%systemroot%\system\logogogo.exe> []...
==================================
正在运行的进程
[PID: 1724][%systemroot%\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[%systemroot%\system32\rsmyhpm.dll] [N/A, ]
[%systemroot%\system32\KVBatch01.dll] [N/A, ]
[%systemroot%\system32\kapjezy.dll] [N/A, ]
[%systemroot%\system32\avwgemn.dll] [N/A, ]
[%systemroot%\system32\avzxfmn.dll] [N/A, ]
[%systemroot%\system32\avwldmn.dll] [N/A, ]
[%systemroot%\system32\rarjepi.dll] [N/A, ]
[%systemroot%\system32\ratbjpi.dll] [N/A, ]
[%systemroot%\system32\kawdczy.dll] [N/A, ]
[%systemroot%\system32\kvdxsima.dll] [N/A, ]
[%systemroot%\system32\raqjdpi.dll] [N/A, ]
[%systemroot%\system32\kaqhizy.dll] [N/A, ]
[%systemroot%\system32\sidjczy.dll] [N/A, ]
[%systemroot%\system32\kvmxhma.dll] [N/A, ]
[%systemroot%\system32\swjqbzc.dll] [N/A, ]
[%Program Files%\Internet Explorer\PLUGINS\Wn_Sys8x.Sys] [N/A, ]
==================================
Winsock 提供者
MSAPI Tcpip [TCP/IP]
%systemroot%\system32\qdshm.dll(, N/A)
MSAPI Tcpip [UDP/IP]
%systemroot%\system32\qdshm.dll(, N/A)
==================================
Autorun.inf
[C:\]
[AutoRun]
OPEN=XP.EXE
shellexecute=XP.EXE
shell\打开(&O)\command=XP.EXE
[D:\]
[AutoRun]
OPEN=XP.EXE
shellexecute=XP.EXE
shell\打开(&O)\command=XP.EXE...
上一页 [1] [2] [3] [4] 下一页 |
